Chill-project/ansible-role-chill
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssl / tsl and storage of document

Browse Source
This commit is contained in:
Julien Fastré 2024-12-30 11:37:55 +01:00
parent bf2e38ad51
commit c6b32d6005
Signed by: julienfastre
GPG Key ID: BDE2190974723FCB
7 changed files with 74 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
tasks/chill/main.yml
View File

@ -54,5 +54,15 @@
- lexik_jwt_authentication.yaml - lexik_jwt_authentication.yaml
- messenger.yaml - messenger.yaml
- monolog.yaml - monolog.yaml
- chill_doc_store.yaml
- framework.yaml
loop_control: loop_control:
loop_var: file loop_var: file
- name: Create directory for storing data
ansible.builtin.file:
path: "{{ doc_storage_dir }}/{{ item['chill_environment'] }}"
owner: "82"
group: "82"
mode: '0766'
state: directory

18
tasks/chill/self_signed.yml Normal file
View File

@ -0,0 +1,18 @@
- name: Create directory for storing certificates
ansible.builtin.file:
path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}"
state: directory
owner: "{{ as_user }}"
mode: '0400'
- name: Create private key
community.crypto.openssl_privatekey:
path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/key.pem"
- name: Create self signed certificate
community.crypto.x509_certificate:
privatekey_path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/key.pem"
path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/cert.pem"
provider: selfsigned

7
tasks/traefik.yml
View File

@ -13,3 +13,10 @@
owner: "{{ as_user }}" owner: "{{ as_user }}"
notify: notify:
- Restart traefik - Restart traefik
- name: Create directory for storing certificates
ansible.builtin.file:
path: "/var/traefik/certs"
state: directory
owner: "{{ as_user }}"
mode: '0400'

19
templates/compose.yaml
View File

@ -6,13 +6,19 @@ services:
- app:php - app:php
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.frontend-{{ item.chill_environment }}.rule=Host(`{{ item.host }}`)"
- "traefik.http.routers.frontend-{{ item.chill_environment }}.entrypoints=web"
- "traefik.docker.network=traefik" - "traefik.docker.network=traefik"
{% if item.expose_port is not false -%} - "traefik.http.routers.frontend-{{ item.chill_environment }}.rule=Host(`{{ item.host }}`)"
ports: - "traefik.http.routers.frontend-{{ item.chill_environment }}.entrypoints=websecure"
- "{{ item.expose_port }}:80" {%+ if item.tls_config == 'self_signed' +%}
{% endif -%} - "traefik.http.routers.frontend-{{ item.chill_environment }}.tls=true"
{%+ endif +%}
{%+ if item.expose_port is not false +%}
- "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.rule=PathPrefix(`/`)"
- "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.entrypoints=chill{{ item.chill_environment }}"
{%+ if item.tls_config == 'self_signed' +%}
- "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.tls=true"
{%+ endif +%}
{%+ endif +%}
networks: networks:
- traefik - traefik
- default - default
@ -25,6 +31,7 @@ services:
- './config/prod:/var/www/app/config/packages/prod:ro' - './config/prod:/var/www/app/config/packages/prod:ro'
- './var:/var/www/app/var:rw' - './var:/var/www/app/var:rw'
- '/var/logs/chill:/var/www/app/logs' - '/var/logs/chill:/var/www/app/logs'
- '{{ doc_storage_dir }}/{{ item['chill_environment'] }}:/var/storage'
links: links:
- redis - redis
- relatorio - relatorio

3
templates/config/prod/chill_doc_store.yaml Normal file
View File

@ -0,0 +1,3 @@
chill_doc_store:
local_storage:
storage_path: '/var/storage'

3
templates/config/prod/framework.yaml Normal file
View File

@ -0,0 +1,3 @@
framework:
trusted_proxies: '172.150.0.0/24'
trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']

19
templates/traefik-compose.yaml
View File

@ -13,17 +13,36 @@ services:
- "--providers.docker=true" - "--providers.docker=true"
- "--providers.docker.exposedByDefault=false" - "--providers.docker.exposedByDefault=false"
- "--entryPoints.web.address=:80" - "--entryPoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
{%+ for c in chills +%}
{%+ if c.expose_port is not false +%}
- "--entryPoints.chill{{ c.chill_environment }}.address=:{{ c.expose_port }}"
{% endif +%}
{% endfor +%}
ports: ports:
# The HTTP port # The HTTP port
- "80:80" - "80:80"
- "443:443"
# The Web UI (enabled by --api.insecure=true) # The Web UI (enabled by --api.insecure=true)
- "8080:8080" - "8080:8080"
{% for c in chills +%}
{% if c.expose_port is not false +%}
- "{{ c.expose_port }}:{{ c.expose_port }}"
{% endif +%}
{%+ endfor +%}
volumes: volumes:
# So that Traefik can listen to the Docker events # So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- /var/traefik/certs:/var/traefik/certs
networks: networks:
- traefik - traefik
networks: networks:
traefik: traefik:
name: traefik name: traefik
driver: bridge
ipam:
config:
- subnet: 172.150.0.0/24